Ubuntu CVE Tracker

Merge ~litios/ubuntu-cve-tracker:oval-fixes-improvements into ubuntu-cve-tracker:master

  1. Git
  2. lp:~litios/ubuntu-cve-tracker
  3. oval-fixes-improvements
  4. Merge into master
Proposed by David Fernandez Gonzalez
Status: Merged
Merged at revision: 01d2b74924341409183a0858d3a4897f79aead06
Proposed branch: ~litios/ubuntu-cve-tracker:oval-fixes-improvements
Merge into: ubuntu-cve-tracker:master
Diff against target: 101 lines (+41/-20)
1 file modified
scripts/oval_lib.py (+41/-20)
Reviewer Review Type Date Requested Status
Eduardo Barretto Approve
Review via email: mp+459018@code.launchpad.net

Description of the change

[OVAL]

-- Fix get_pkgs function to prevent race conditions --

    Sometimes, depending on how the CVEs are loaded, function
    get_pkgs wouldn't handle the packages properly. This would
    result in different binaries between runs, making OVAL inconsistent.

-- Retrieve update pocket + extra CVE fields --

    Add a function to retrieve the pocket of a given
    package and version from the cache.

    Add Mitigation and Notes fields to the CVE.

    This is needed for the JSON per-package generation.

To post a comment you must log in.
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

lgtm, thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py
index 489200e..b30a987 100644
--- a/scripts/oval_lib.py
+++ b/scripts/oval_lib.py
@@ -144,26 +144,41 @@ def generate_cve_tag(cve):
144 cve_ref += '>{0}</cve>'.format(cve['Candidate'])144 cve_ref += '>{0}</cve>'.format(cve['Candidate'])
145 return cve_ref145 return cve_ref
146146
147def get_real_release(cache, source_name, release) -> str:
148 """ return the release in which the package is present.
149 This applies for the cases where a parent release
150 contains the package but not the requested release.
151 """
152
153 if release in cache and source_name in cache[release]: return release
154
155 rel = release
156 while cve_lib.release_parent(rel):
157 rel = cve_lib.release_parent(rel)
158 if source_name in cache[rel]:
159 return rel
160
161 # if the source package does not exist in any release, return None
162 return None
163
164def get_pocket(cache, source_name, version, release):
165 """ return the pocket of a specific package version in a release """
166 rel = get_real_release(cache, source_name, release)
167 if not rel: return None, None
168
169 return rel, cache[rel][source_name][version]['pocket']
170
147def get_binarypkgs(cache, source_name, release):171def get_binarypkgs(cache, source_name, release):
148 """ return a list of binary packages from the source package version """172 """ return a list of binary packages from the source package version """
149 packages_to_ignore = ("-dev", "-doc", "-dbg", "-dbgsym", "-udeb", "-locale-")173 packages_to_ignore = ("-dev", "-doc", "-dbg", "-dbgsym", "-udeb", "-locale-")
150 binaries_map = collections.defaultdict(dict)174 binaries_map = collections.defaultdict(dict)
151
152 if source_name not in cache[release]:
153 rel = release
154 while cve_lib.release_parent(rel):
155 rel = cve_lib.release_parent(rel)
156 r , vb = get_binarypkgs(cache, source_name, rel)
157 if r:
158 return r, vb
159
160 # if a source package does not exist in such a release
161 # return None
162 return None, None
163 175
164 for source_version in cache[release][source_name]:176 rel = get_real_release(cache, source_name, release)
177 if not rel: return None, None
178
179 for source_version in cache[rel][source_name]:
165 binaries_map.setdefault(source_version, dict())180 binaries_map.setdefault(source_version, dict())
166 for binary, bin_data in cache[release][source_name][source_version]['binaries'].items():181 for binary, bin_data in cache[rel][source_name][source_version]['binaries'].items():
167 # for kernel we only want linux images182 # for kernel we only want linux images
168 if source_name.startswith('linux') and not binary.startswith('linux-image-'):183 if source_name.startswith('linux') and not binary.startswith('linux-image-'):
169 continue184 continue
@@ -173,7 +188,7 @@ def get_binarypkgs(cache, source_name, release):
173 binaries_map[source_version].setdefault(bin_data['version'], list())188 binaries_map[source_version].setdefault(bin_data['version'], list())
174 binaries_map[source_version][bin_data['version']].append(binary)189 binaries_map[source_version][bin_data['version']].append(binary)
175190
176 return release, binaries_map191 return rel, binaries_map
177192
178class CVEPkgRelEntry:193class CVEPkgRelEntry:
179 def __init__(self, pkg, release, cve, status, note) -> None:194 def __init__(self, pkg, release, cve, status, note) -> None:
@@ -284,6 +299,8 @@ class CVE:
284 self.cvss = info['CVSS']299 self.cvss = info['CVSS']
285 self.assigned_to = info['Assigned-to'] if 'Assigned-to' in info else ''300 self.assigned_to = info['Assigned-to'] if 'Assigned-to' in info else ''
286 self.discoverd_by = info['Discovered-by'] if 'Discovered-by' in info else ''301 self.discoverd_by = info['Discovered-by'] if 'Discovered-by' in info else ''
302 self.notes = info['Notes']
303 self.mitigation = info['Mitigation'].strip() if 'Mitigation' in info else ''
287 self.usns = []304 self.usns = []
288 self.references = []305 self.references = []
289 self.bugs = []306 self.bugs = []
@@ -315,13 +332,17 @@ class CVE:
315 else:332 else:
316 pkg_rel_entry = self.pkg_rel_entries[str(pkg)]333 pkg_rel_entry = self.pkg_rel_entries[str(pkg)]
317 curr_pkg_rel_entry = self.pkg_rel_entries[str(pkg_rel[pkg.name])]334 curr_pkg_rel_entry = self.pkg_rel_entries[str(pkg_rel[pkg.name])]
318 if curr_pkg_rel_entry.status == 'fixed':335
319 priority = releases.index(pkg.rel) > releases.index(pkg_rel[pkg.name].rel) and \336 if curr_pkg_rel_entry.status == 'fixed' and pkg_rel_entry.status == 'fixed':
320 pkg_rel_entry.fixed_version in pkg.versions_binaries337 """Both fixed, we keep the oldest release"""
338 update = releases.index(pkg.rel) > releases.index(pkg_rel[pkg.name].rel)
321 else:339 else:
322 priority = releases.index(pkg.rel) < releases.index(pkg_rel[pkg.name].rel)340 """ If one is not fixed, we keep whichever is the newest release.
341 A regression may happen in a child.
342 """
343 update = releases.index(pkg.rel) < releases.index(pkg_rel[pkg.name].rel)
323344
324 if priority:345 if update:
325 pkg_rel[pkg.name] = pkg346 pkg_rel[pkg.name] = pkg
326347
327 for pkg in self.pkgs:348 for pkg in self.pkgs:

Subscribers

People subscribed via source and target branches